Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Control Tower

Dennis Kieselhorst
January 08, 2020
Technology
0
650

AWS Control Tower

AWS Control Tower ist die einfachste Methode zur Einrichtung und Kontrolle einer neuen, sicheren AWS-Umgebung. Der Vortrag geht auf den Sinn und Zweck einer Multi-Account Strategie ein und zeigt Zusammenhänge des neuen AWS Control Tower Service mit der bisherigen Landing Zone Solution und AWS Organizations auf. Teilnehmer haben am Ende des Vortrags das nötige Rüstzeug, um eine Well-Architected-Umgebung zu erstellen, in der sie Sicherheits-, Betriebs- und Compliance-Regeln zur Steuerung ihrer AWS-Workloads verwalten können.
https://aws.amazon.com/de/controltower/

Dennis Kieselhorst

January 08, 2020
Tweet

More Decks by Dennis Kieselhorst

See All by Dennis Kieselhorst
Log4j lessons learned - Vorbereitung auf den nächsten Zero-Day
deki
0
5
Modernize APIs to run serverless using Apache CXF
deki
0
34
A proactive approach to zero-days: Lessons learned from Log4j (Swiss Cloud Day 2022)
deki
0
8
Refactoring enterprise applications for cloud-native architecture (Swiss Cloud Day 2022)
deki
0
18
Wie man eine Spring Boot Anwendung in weniger als 30 Minuten Machine Learning fähig macht (code.talks 2022)
deki
0
31
OpenTelemetry - ein offener Standard für den Durchblick in Anwendungslandschaften (code.talks 2022)
deki
0
9
Metrics, Logs, Traces - Observability with Open Source using OpenTelemetry (AWS Usergroup Cologne)
deki
0
25
Log4Shell - Lessons learned
deki
0
7
Performance-Tweaks für Java-Serverless-Anwendungen
deki
0
23

Other Decks in Technology

See All in Technology
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
170
Amazon EventBridge Schedulerを用いて Amazon QuickSightの運用を改善した話
shogo452
1
210
ユーザーストーリーマッピング
kawaguti
PRO
4
720
今後の開発規模拡大、QA人材を爆速で立ち上げる
ymty
1
230
サービスレベル管理とは?〜計測すべき指標と活用について/What is Service Level Management
newrelic2023
0
300
全世界のユーザー体験の改善にNew Relic Mobileをどのように活用したか/How New Relic Mobile was used to improve the global user experience
isaoshimizu
2
370
「時系列データ」を ChatGPT で活かすには?!
soracom
PRO
0
330
Design insights from unit tests @ itkonekt 2023
victorrentea
0
110
監視からオブザーバビリティへ〜オブザーバビリティの成熟度/From Monitoring to Observability - Maturity of Observability
newrelic2023
0
420
ABEMAのRenderScript Intrinsics Replacement Toolkit 導入事例
takahana
0
150
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.5k
ChatGPTで開発者の英語の悩みを解決
takagimeow
0
120

Featured

See All Featured
The Cult of Friendly URLs
andyhume
70
5.2k
Web development in the modern age
philhawksworth
197
9.7k
Mobile First: as difficult as doing things right
swwweet
213
8k
Docker and Python
trallard
31
2.1k
Teambox: Starting and Learning
jrom
124
8k
What's in a price? How to price your products and services
michaelherold
234
10k
Building Adaptive Systems
keathley
29
1.5k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Web Components: a chance to create the future
zenorocha
304
41k
Automating Front-end Workflow
addyosmani
1352
200k
WebSockets: Embracing the real-time Web
robhawkes
58
6.2k

Transcript

  1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
    Dennis Kieselhorst
    Sr. Solutions Architect
    AWS Control Tower

    View Slide

  2. Agenda
    • Motivation - Why a multi-account strategy/ landing zone?
    • AWS Control Tower value proposition
    • A landing zone, the AWS Landing Zone solution and AWS Control
    Tower
    • AWS Control Tower – Enable, Provision, Operate
    • Demo
    • Q&A

    View Slide

  3. Why one AWS account isn’t enough
    Billing
    Many teams
    Security / compliance
    controls
    Business process
    Isolation

    View Slide

  4. Isolation with IAM and VPC in one account?
    “Gray” boundaries
    Complicated and messy over time
    Difficult to track resources
    People stepping on each other
    AWS Account

    View Slide

  5. Customers are faced with…
    Many
    design decisions
    The need to configure
    multiple accounts &
    services
    Establishing
    a security baseline &
    governance

    View Slide

  6. You need a “landing zone”
    • A configured, secure, scalable, multi-account
    (multiple resource containers) AWS environment
    based on AWS best practices
    • A starting point for net new development and
    experimentation
    • A starting point for migrating applications
    • An environment that allows for iteration and
    extension over time
    H

    View Slide

  7. Balancing the needs of builders and central cloud IT
    Builders:
    Stay agile
    Innovate with the speed and
    agility of AWS
    Cloud IT:
    Establish governance
    Govern at scale with
    central controls

    View Slide

  8. Business agility and governance control
    Governance

    Agility

    Self-service access
    Experiment fast
    Respond quickly
    to change

    View Slide

  9. landing zone, AWS Landing Zone, AWS Control Tower
    landing zone:
    • Secure pre-configured environment for your AWS presence
    • Scalable and flexible
    • Enables agility and innovation
    AWS Landing Zone Solution:
    • Implementation of a landing zone based on multi-account strategy guidance
    AWS Control Tower:
    • AWS Service version of AWS Landing Zone

    View Slide


  10. Provision

    Operate
    AWS Control Tower: Easiest way to set up and govern
    AWS at scale

    Enable
    Business agility + governance control

    View Slide


  11. Provision

    Operate
    AWS Control Tower: Enable for governance at scale

    Enable
    Business agility + governance control

    View Slide

  12. Enable governance Enable
    Set up an AWS
    landing zone
    Establish
    guardrails
    Automate compliant
    account provisioning
    Centralize identity
    and access
    Manage
    continuously

    View Slide

  13. Set up an AWS landing zone
    Master account
    AWS Control Tower AWS Organizations AWS Single
    Sign-On
    Stack sets AWS Service
    Catalog
    Log archive
    account
    Aggregate
    AWS CloudTrail
    and AWS Config
    logs
    Account
    baseline
    Audit account
    Security cross-
    account roles
    Account
    baseline
    Provisioned
    accounts
    Network
    baseline
    Account
    baseline
    Security
    notifications
    Core OU Custom OU AWS SSO
    directory

    View Slide

  14. Multi-account architecture
    • Baseline Organizations setup:
    • Core OU: AWS Control Tower baseline
    accounts (cannot change)
    • Custom OU: Your provisioned
    accounts
    Master account
    Organizations
    Log archive
    account
    Audit account Provisioned
    accounts
    Core OU Custom OU

    View Slide

  15. Demo

    View Slide

  16. Starter AWS multi-account framework
    AWS Cloud
    AWS Organizations
    Foundational Organizational Units (OUs)
    Security (Core OU) Infrastructure
    Δ Shared Services
    Δ Network
    Additional OUs

    View Slide

  17. Starter AWS multi-account framework
    AWS Cloud
    AWS Organizations
    Foundational Organizational Units (OUs)
    Security (Core OU) Infrastructure
    Δ Log Archive
    Δ Security Tooling
    Δ Shared Services
    Δ Network
    Additional OUs
    Control Tower deploys these automatically

    View Slide

  18. High-level OU structure
    AWS Cloud
    AWS Organizations
    Master
    Foundational Organizational Units (OU) Additional OU
    Infrastructure
    Δ Shared Services
    Δ Network
    Security (Core OU)

    View Slide

  19. Recommended AWS multi-account framework
    AWS Cloud
    AWS Organizations
    Master
    Foundational Organizational Units (OU)
    Infrastructure
    Δ Shared Services
    Δ Network
    Additional OU
    Security (Core OU)

    View Slide

  20. Centralize identity and access
    • AWS SSO provides default directory for identity
    • Preconfigured groups and permission sets
    • Option to integrate with your managed or on-premises
    Active Directory (AD) using AWS Managed Microsoft AD
    • How to integrate with Okta: https://tinyurl.com/y3226978

    View Slide

  21. Service Control Policies (SCPs)
    • Enables you to control which AWS service APIs are accessible
    - Define the list of APIs that are allowed – whitelisting
    - Define the list of APIs that must be blocked – blacklisting
    • SCPs are:
    Invisible to all users in the child account, including root
    Applied to all users in the child account, including root
    • Permission:
    intersection between the SCP and IAM permissions
    IAM policy simulator is SCP aware

    View Slide

  22. Disable Service APIs you Won’t be Using
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Deny",
    "Action": ”:*",
    "Resource": "*"
    }
    ]
    }
    NotAction
    (Optional) List the AWS actions exempt from the SCP. Used in place of
    the Action element.
    Resource List the AWS resources the SCP applies to.
    Condition (Optional) Specify conditions for when the statement is in effect.

    View Slide

  23. Organizational Units
    • Grouping of AWS Accounts
    • Service Control Polices (SCP) to the groups
    • Use permission grouping (NOT corporate structure)
    How likely is the group to need a set of similar policies?

    View Slide

  24. Establish guardrails
    • Preventive: prevents policy violations using
    SCPs
    • Detective: detect policy violations using AWS
    Config rules
    • A guardrail can be: mandatory, strongly
    recommended, or elective
    • Guardrails apply to organizational units (OUs)
    and all child accounts (new and existing)
    Organizational
    units
    Accounts
    Enable
    Enable
    Output
    Output
    Output
    Organizational
    units
    Accounts
    Preventive guardrail
    Granular AWS
    policies
    SCP
    Detective/remediable
    guardrails
    Granular
    AWS policies
    AWS Config
    rules
    Always
    compliant
    Non-
    compliant
    Compliant

    View Slide

  25. Guardrail examples
    Goal/Category Example
    IAM Require MFA for root user
    Data security
    Disallow public read access to Amazon S3 buckets
    Disallow public access to Amazon RDS database instances
    Network
    Disallow internet connection via Remote Desktop Protocol (RDP)
    Disallow internet connection through SSH
    Audit logs Enable AWS CloudTrail and AWS Config
    Monitoring Disallow policy changes to log archive
    AWS Control Tower
    setup
    Disallow changes to IAM roles set up by AWS Control Tower
    Operations Disallow EBS volumes that are unattached to an EC2 instance

    View Slide


  26. Provision

    Operate
    AWS Service Catalog: Secure self-service provisioning

    Enable
    Business agility + governance control

    View Slide

  27. Automate compliant account provisioning
    • Standardized account
    provisioning
    • Automatic enforcement of
    guardrails
    • Configurable network
    settings
    Account factory
    Network
    baseline
    Network
    CIDR
    Network
    regions
    OU Account
    baseline
    AWS Service
    Catalog
    AWS Service
    Catalog product
    New AWS account
    Network
    baseline
    Account
    baseline
    Guardrails
    Provision

    View Slide

  28. Enable secure self-service provisioning
    • Create best-practices templates with AWS CloudFormation or
    Terraform for commonly used products (Amazon EMR, Amazon EC2,
    etc.)
    • Create AWS Service Catalog products in the master AWS Control Tower
    account
    • Distribute products via Organizations to all of your AWS Control Tower
    managed accounts

    View Slide


  29. Provision

    Operate
    AWS Control Tower: Easiest way to set up and govern
    at scale

    Enable
    Business agility + governance control

    View Slide

  30. Operate with agility + control Operate
    Dashboard
    Continuous visibility into
    your multi-account
    environment
    Act
    Take operational
    action on resources
    Audit
    Audit resource
    configurations, user access,
    and policy enforcement
    Monitor
    Monitor resources
    and workloads

    View Slide

  31. Demo

    View Slide

  32. We thought we did this…

    View Slide

  33. But…

    View Slide

  34. AWS services that enable agility + governance
    AWS Control Tower
    AWS Organizations
    AWS Service Catalog
    AWS Well-Architected Tool
    AWS Budgets
    AWS License Manager
    AWS Marketplace (Private Marketplace)
    AWS CloudTrail
    AWS Config
    AWS Security Hub
    Amazon CloudWatch

    View Slide

  35. AWS Control Tower capabilities
    • Framework for creating and baselining a multi-account environment using AWS
    Organizations
    • Initial multi-account structure including security, audit, & shared service requirements
    • An account vending machine that enables automated deployment of additional
    accounts with a set of managed and monitored security baselines
    • A management console that shows compliance status of accounts
    • The ability to apply AWS best practice guardrails and Blueprints to accounts at
    account creation
    • The ability to detect and report on any drift / changes that have occurred that
    deviate from initial configuration options
    Account Management
    • User account access managed through AWS SSO federation
    • Integration options with other 3rd party SSO providers
    • Cross-account roles enable centralized management
    Identity &
    Access Management
    • Multiple accounts enable separation of duties
    • Initial account security and AWS Config rules baseline
    • Network baseline
    Security & Governance

    View Slide

  36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
    Thank you!
    Dennis Kieselhorst, Sr. Solutions Architect
    [email protected]
    Feedback form: https://amzn.to/35cfKWx

    View Slide